Received: (from majordomo@localhost)
	by oss.sgi.com (8.11.2/8.11.3) id f9QG3jb22873
	for netdev-outgoing; Fri, 26 Oct 2001 09:03:45 -0700
Received: from noxmail.sandelman.ottawa.on.ca (cyphermail.sandelman.ottawa.on.ca [192.139.46.78])
	by oss.sgi.com (8.11.2/8.11.3) with SMTP id f9QG3e022868
	for <netdev@oss.sgi.com>; Fri, 26 Oct 2001 09:03:40 -0700
Received: from marajade.sandelman.ottawa.on.ca ([2001:410:402:2:204:76ff:fe2d:8c])
	by noxmail.sandelman.ottawa.on.ca (8.11.6/8.11.6) with ESMTP id f9QG3en02032
	(using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK);
	Fri, 26 Oct 2001 12:03:42 -0400 (EDT)
Received: from marajade.sandelman.ottawa.on.ca (localhost [[UNIX: localhost]])
	by marajade.sandelman.ottawa.on.ca (8.11.6/8.11.0) with ESMTP id f9QG3Rn06463;
	Fri, 26 Oct 2001 12:03:31 -0400 (EDT)
Message-Id: <200110261603.f9QG3Rn06463@marajade.sandelman.ottawa.on.ca>
To: Martin Josefsson <gandalf@wlug.westbo.se>
cc: "Manon F. Goo" <manon@manon.de>, design@lists.freeswan.org,
   netdev@oss.sgi.com
Subject: Re: [Design] skb->security and friends 
In-reply-to: Your message of "Fri, 26 Oct 2001 17:02:20 +0200."
             <Pine.LNX.4.21.0110261655200.22037-200000@tux.rsn.bth.se> 
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Fri, 26 Oct 2001 12:03:27 -0400
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Sender: owner-netdev@oss.sgi.com
Precedence: bulk
Content-Length: 1956
Lines: 47

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Martin" == Martin Josefsson <gandalf@wlug.westbo.se> writes:
    Martin> [1  <text/plain; US-ASCII (7bit)>]
    Martin> On Fri, 26 Oct 2001, Manon F. Goo wrote:

    >> 
    >> >
    >> >   Aha, RGB! a customer for the skb->{security,ipcb,fwmark} mechanism.
    >> > Well maybe.
    >> > 	skb->security	   (16-bit)
    >> > 	skb->nfmark	   (much contention for this field)
    >> 
    >> is it planed to be able to set nfmark value per connecction for later 
    >> processing with iptables ?

    Martin> There is an iptablesmodule called CONNMARK for this purpose :)
    Martin> you mark the connection with a mark and all packets in that connection
    Martin> inherit that mark. But I don't think CONNMARK is part of the patch-o-matic
    Martin> :( So you'll have to search the netfilter-devel archives I think.

  The term "connection" as used by Manon referes to an IPsec SA. The packets
that emerge from the IPsec tunnel have never been seen by the system before
(they were hidden by encryption) 

  Conntrack will likely prove useful to short-circuit IPsec SPD (inbound)
tunnel processing, particularly for Opportunistic Encryption (which is
/32<->/32) uses, but we need to convince ourselves that there are no cache
coherency problems with this.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBO9mJTYqHRg3pndX9AQFykwQAvP2OE4UbgPB4cuIWGxGm+a9hLhznmQS9
GL0/FBBGLD+atE9By0x1qj5cd8sazRwMLuVLAY27xsyNL2x2MlGTr2Wkf6PKPmxH
E9mNY3VRYayUn7A+JqVh8ti89Op8ljyzPsiX6D0UybmLhXYTLxq7uH2N6iUGAuRH
9Jv2QHhtxx0=
=FDUE
-----END PGP SIGNATURE-----